Importing a Certificate Authority (CA)

In some cases we will need to import one or more Certificate Authorities (CAs) into our *SYSTEM store. You also have the option of importing them into your own store, but in most cases it's just as easy to import them into the *SYSTEM store.

The first thing you will need to do is upload the CAs you wish to import to your IBM i (System i, iSeries, AS/400). I normally do this using FTP and store them in the /tmp directory on the IBM i.

First, put the CAs in a directory on your PC that is easily accessible (I like to use a /temp directory on the C: drive). Then, start up an FTP client. I like to use the Windows basic FTP client. This is started by using selecting Start-->Run and typing FTP into the prompt. (For Windows 8 press the Windows button and the R key at the same time to get the Run prompt.

Once your FTP session is started, upload the CAs to your IBM i. In this case I'm uploading them from C:\temp to the /tmp directory on our IBM i.

Here is the same FTP session, but as text. The BOLD text is the data that was entered:

ftp> open
Connected to
220-QTCP at
220 Connection will close if idle more than 5 minutes.
User ( qsecofr
331 Enter password.
Password: **********
230 QSECOFR logged on.
ftp> cd /tmp
250-NAMEFMT set to 1.
250 "/tmp" is current directory.
ftp> lcd c:\temp
Local directory now C:\temp.
ftp> put cert1.cer
200 PORT subcommand request successful.
150 Sending file to /tmp/cert1.cer
226 File transfer completed successfully.
ftp: 1239 bytes sent in 0.25Seconds 4.96Kbytes/sec.
ftp> put cert2.cer
200 PORT subcommand request successful.
150 Sending file to /tmp/cert2.cer
226 File transfer completed successfully.
ftp: 1512 bytes sent in 0.05Seconds 32.17Kbytes/sec.
ftp> quit

Once your CAs are uploaded to your IBM i, go to the Digital Certificate Manager.

Select the "Select a Certificate Store" Link

You should be presented with a list of available certificate stores to work with. If the *SYSTEM store is not in this list, you must first Create Your *SYSTEM store. Select the *SYSTEM store and click on the Continue button.

You will be asked to enter the password for the *SYSTEM store at this point. Enter the password and click on the Continue button. (Note, if you don't know the password, you can select the Reset Password button and change it without needing to know the prior password.)

You should receive a confirmation screen similar to the one below. You are now working with the *SYSTEM store and can begin importing any CAs needed.

Select the "Expand All" button on the left side of the screen so that you can see more options available.

Click on the "Work with CA certificates" option.

You will now see a list of CAs already installed on your system. Most of them were installed when you created the *SYSTEM store.

The option we are looking for is at the bottom of the list and labeled Import. Find this button and click on it.

You will be asked for an Import file. This will be the fully qualified path to the CA that you uploaded previously. Once you enter the path, click on the Continue button.

Remember when we are importing CAs, if they are "chained" you need to start with the top most CA first and work your way down. Otherwise you'll receive an error saying that the CA you tried to import was not trusted. In the example below we are importing cert1.cer first, then we will import cert2.cer after that.

You will now be presented with an input field to enter the CA certificate label. This is really just a text description of what you want to call the CA. You could use the description already associated with the CA, or anything you want.

In some cases it may make more sense to label them for what they are used for (for example, Google Certificates for GMail could be named GMail 1, Gmail 2, etc.)

If you want to find the CA's official label, go back to the cer file on your PC and double click on it. Select the Certificate Path tab and you will see what the CA is named. That's what I did in this example and for the label used "Verisign Class 3 Public Primary Certification Authority - G5".

If the CA is successfully installed you will receive a message stating so. If there is an error, that will also be displayed.

In some cases when importing chained CAs you may get a message saying that the CA you tried to import already exists in the system store. If that is the case, simply move on to the next CA in the list.

Below is an example of a successful import of a CA.

Repeat options 10 through 13 to import any other CAs, remembering to import them in order from top to bottom if they are a "chained" set of CAs.